Some samples submitted but not processed

AnthonyQ · August 18, 2022

Hi,

I've recently submitted several samples to ESET via email, but they haven't been detected.

Sample 1: https://www.virustotal.com/gui/file/7750749daa1ad5c1de9144b4e4a4430b647dcaea8e68bf2f34da81e1ae19f567

Sample 2: https://www.virustotal.com/gui/file/b318662824bcd550e8a3161a184b4e7f9dc1265c82ac6cb565bfcd53ac834c26 (it will try to disable UAC during installation)

Sample 3: https://www.virustotal.com/gui/file/785e9b07fc8ed60165bccab77cd09e1a7991ce1c54c6afb58a9d4d37b76e69e0

Sample 4: https://www.virustotal.com/gui/file/69b8b968c8f68670ed353f2f4752b2af092d4a19a92c1bc235b293fa0b188bd4

Sample 5: https://www.virustotal.com/gui/file/bf4ed8d5dc017a7346f7981ce4db8156c1b76b0cd6f9a37394378371fb548870

Please take a look at them and add proper detection.

Anthony

itman · August 18, 2022

Eset detects sample 3 as FlyStudio.

The samples not detected that are most concerning are 4 and 5 which have 20+ detection's at VT.

Sample 1 appears to be a hacktool.

Nevermind · August 18, 2022

20 minutes ago, itman said:

Sample 1 appears to be a hacktool.

Unless you qualify hacktool as a silent installation of Remote Admin, creating new windows users and sending your network properties to some Chinese email address I wouldnt call it a hacktool

Edited August 18, 2022 by Nevermind

itman · August 18, 2022

18 minutes ago, Nevermind said:

Unless you qualify hacktool as a silent installation of Remote Admin, creating new windows users and sending your network properties to some Chinese email address I wouldnt call it a hacktool

My posting was based on VT detection comment noting Github YARA sig. detection.

VT analysis shows no outbound connection to known malicious C&C servers from the .msi installer. However, it appears there might be a malicious Excel macro embedded in the .msi installer based on outbound network traffic detection's from the macro. However, detection score is 10/71.

azeu666 · August 18, 2022

My previous post was hidden.- Example: https://www.virustotal.com/gui/file/9f6b0cb35a1fe1c455248de5a6eeb9c26500d0269bbf20f8b876736416cf6320?nocache=1

Another example: https://www.virustotal.com/gui/file/1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6?nocache=1

Edited August 18, 2022 by azeu666

Marcos · August 18, 2022

2 hours ago, azeu666 said:

My previous post was hidden.- Example: https://www.virustotal.com/gui/file/9f6b0cb35a1fe1c455248de5a6eeb9c26500d0269bbf20f8b876736416cf6320?nocache=1

This one is corrupted, ie. not subject to detection.

2 hours ago, azeu666 said:

Another example: https://www.virustotal.com/gui/file/1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6?nocache=1

Already detected (VirusTotal will show it detected in 2-3 hours):

1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6.exe - a variant of MSIL/GenKryptik.FYZX trojan

Moreover, this one was detected upon execution by an older version with more than 2 year old modules and without Internet connection:

azeu666 · August 19, 2022

I use Endpoint Antivirus for Linux with its inherent limitations (no Pico updates) not Eset Internet Security. When I scanned the two files with the existing detection engine, the two malware files were not detected.

Also, when I used: https://opentip.kaspersky.com/

and ClamAv using the Yara rule set from open source- https://www.reversinglabs.com/products/open-source-yara-rules

There was no issue in detecting the so-called "This one is corrupted, ie. not subject to detection."

Edited August 19, 2022 by azeu666

azeu666 · August 19, 2022

My apologies I forget add that we use www.securiteinfo.com (Pro) integrated with ClamAv as well.

AnthonyQ · August 21, 2022

Another two samples were submitted, but I did not get a reply, and no detection was added.

Sample 1: https://www.virustotal.com/gui/file/4e9ea62b43f207f6bbe7780c4d5258d946de7d31d32975950491897999579c84

Sample 2: https://www.virustotal.com/gui/file/26fcb0b2ee87c249d282c9c922b66b8a5a97d4af19938fa533858bf11913c63b

Also, as I haven't received any reply from ESET Lab since early August, I would like to know whether ESET Lab can actually receive my email submission.

itman · August 21, 2022

14 hours ago, AnthonyQ said:

Also, as I haven't received any reply from ESET Lab since early August, I would like to know whether ESET Lab can actually receive my email submission.

Verify; using tracert, etc., you can reach the below listed domains/IP addresses. Assumed is if you can reach one, you can reach all.

AnthonyQ · August 21, 2022

1 hour ago, itman said:

Verify; using tracert, etc., you can reach the below listed domains/IP addresses. Assumed is if you can reach one, you can reach all.

I submitted samples via email, not in-product submission system.

Btw, these two samples are still not detected…

itman · August 21, 2022

34 minutes ago, AnthonyQ said:

I submitted samples via email, not in-product submission system.

Are you using G-mail to do so? If this is the case, refer to this posting: https://forum.eset.com/topic/32997-submit-samples-with-gmail/#comment-153347 . BTW - you should be aware of this G-mail issue since you commented in this thread.

If you are not using G-mail for submission, ensure your e-mail request conforms to the following criteria:

https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab?ref=esf

Edited August 21, 2022 by itman

AnthonyQ · August 21, 2022

29 minutes ago, itman said:

Are you using G-mail to do so? If this is the case, refer to this posting: https://forum.eset.com/topic/32997-submit-samples-with-gmail/#comment-153347 . BTW - you should be aware of this G-mail issue since you commented in this thread.

If you are not using G-mail for submission, ensure your e-mail request conforms to the following criteria:

https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab?ref=esf

No, I use Outlook mail, the same one I signed up for in this forum.

itman · August 21, 2022

2 hours ago, AnthonyQ said:

No, I use Outlook mail, the same one I signed up for in this forum.

Are you sending your e-mail w/sample attached to Eset in plain text format as specified in Eset KB article? Here's how to do so: https://www.lifewire.com/outlook-plain-text-message-1165895 .

Edited August 21, 2022 by itman

SeriousHoax · August 21, 2022

1 hour ago, itman said:

Are you sending your e-mail w/sample attached to Eset in plain text format as specified in Eset KB article? Here's how to do so: https://www.lifewire.com/outlook-plain-text-message-1165895 .

He submitted samples many times before and got responses too, more or less, so I'm sure he knows how to send. I don't submit a lot, but even in my experience, it has been extremely bad for a while. I've tried different emails too a few times, but it didn't improve the experience much. Besides, I don't remember ESET ever adding phishing sites to their database that I submitted via that dedicated website. I've stopped submitting samples to ESET to not waste my time. Nowadays, the main way to make ESET add detection is to share VT links here on the forum.

Marcos · August 21, 2022

38 minutes ago, SeriousHoax said:

I don't remember ESET ever adding phishing sites to their database that I submitted via that dedicated website.

Any example please? Of course if you submit a lot of urls, those must be manually reviewed and opened by an analyst to find out if they are indeed phishing and subject to blocking. If you submit one or a few a time, they should be reviewed and possibly blocked relatively quickly (in 1 - 72 hours).

itman · August 21, 2022

As far as reporting phishing web sites, that procedure is also noted in the above linked Eset KB article:

Quote

Submit a fraudulent page (phishing)

If you believe you have deliberately and deceitfully discovered a similar page to another, complete this form to notify us.

Note that Eset now requires a form to be completed and submitted.

Also since the Eset KB article is dated Aug, 10, 2022, it appears that the whole sample submission process has been recently revised.

Edited August 21, 2022 by itman

SeriousHoax · August 26, 2022

On 8/22/2022 at 1:57 AM, Marcos said:

Any example please? Of course if you submit a lot of urls, those must be manually reviewed and opened by an analyst to find out if they are indeed phishing and subject to blocking. If you submit one or a few a time, they should be reviewed and possibly blocked relatively quickly (in 1 - 72 hours).

I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe.

e.png.f789fd90efe46068c1258364199bd8cd.png

If possible, please improve the processing of samples submitted by users.

VT link of the sample: VirusTotal - File - d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd

itman · August 26, 2022

6 hours ago, SeriousHoax said:

VT link of the sample: VirusTotal - File - d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd

Here's the Hybrid-Analysis analysis of it: https://www.hybrid-analysis.com/sample/d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd?environmentId=120 . It creates a Python based keylogger. It is also VM aware. As such, I am not surprised Eset doesn't detect it.

Edited August 26, 2022 by itman

Nevermind · August 26, 2022

6 hours ago, SeriousHoax said:

I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe.

This happens when there is ulimited access to a sample queue processed entirely by real ppl Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

Marcos · August 26, 2022

24 minutes ago, Nevermind said:

Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

Correct. The said Python installer sample has been analyzed for several hours already and the analysis is still ongoing and will likely be eventually detected when finished.

SeriousHoax · August 26, 2022

2 hours ago, itman said:

Here's the Hybrid-Analysis analysis of it: https://www.hybrid-analysis.com/sample/d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd?environmentId=120 . It creates a Python based keylogger. It is also VM aware. As such, I am not surprised Eset doesn't detect it.

Yeah, it needs to be analyzed manually.

40 minutes ago, Nevermind said:

This happens when there is ulimited access to a sample queue processed entirely by real ppl Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

I don't need replies as long as submitted samples get added to the database. Well, I have waited 2 weeks which is long enough. Too long I would say.

peteyt · August 26, 2022

2 hours ago, SeriousHoax said:

Yeah, it needs to be analyzed manually.

I don't need replies as long as submitted samples get added to the database. Well, I have waited 2 weeks which is long enough. Too long I would say.

2 hours ago, Nevermind said:

This happens when there is ulimited access to a sample queue processed entirely by real ppl Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

Yeah the thing is in a world where new viruses appear all the time, while no AV can offer full protection, if a user submits a possible malware it shouldn't take 2 weeks to get detected. If actual malware that could have infected multiple users in the meantime

itman · August 26, 2022

2 hours ago, Marcos said:

The said Python installer sample has been analyzed for several hours already and the analysis is still ongoing and will likely be eventually detected when finished.

For me, this sums up the state of malware detection at Eset.

You have 32/71 VirusTotal vendors detecting it as malicious; first submission there was 8/14. There is at least one respected public cloud sandbox giving it a 100/100 malicious verdict. Yet, Eset VirusLab after hours of behavior observation can't determine if the sample is malicious.

Edited August 26, 2022 by itman

itman · August 26, 2022

Following up on my last posting, I think its time Eset add a new section to Real-time settings titled "Additions." Format for this section would be identical to existing "Detection Exclusions" section with the exception only SHA1 hash value could be entered with no path option specified. Eset real-time scanning would be modified to always check and process entries in "Detection Additions" prior to any other processing.

The above would cover a user until Eset got around to detecting a submitted malware sample.

Edited August 26, 2022 by itman

Sign In

Some samples submitted but not processed

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Submit a fraudulent page (phishing)

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics